Σχόλια 0

Το κείμενο του εγγράφου

Guide to the Secure Conﬁguration ofRed Hat Enterprise Linux 5Revision 4.1February 28,2011Operating Systems Division Unix Teamof theSystems and Network Analysis CenterNational Security Agency9800 Savage Rd.Suite 6704Ft.Meade,MD 20755-67042WarningsDo not attempt to implement any of the recommendations in this guide without ﬁrst testing in a non-production environment.This document is only a guide containing recommended security settings.It is not meant to replace well-structured policy or sound judgment.Furthermore this guide does not address site-speciﬁc conﬁgurationconcerns.Care must be taken when implementing this guide to address local operational and policyconcerns.The security changes described in this document apply only to Red Hat Enterprise Linux 5.They may nottranslate gracefully to other operating systems.Internet addresses referenced were valid as of 1 Dec 2009.Trademark InformationRed Hat is a registered trademark of Red Hat,Inc.Any other trademarks referenced herein are the property oftheir respective owners.Change LogRevision 4.1 is an update of Revision 4 dated September 14,2010.Added section 2.2.2.6,Disable All GNOME Thumbnailers if Possible.Added Common Conﬁguration Enumeration (CCE) identiﬁers to associated sections within the guide,anda note about CCE in section 1.2.4,Formatting Conventions.Updated section 2.3.3.2,Set Lockouts for Failed Password Attempts.There is no longer the need to addthe pamtally2 module into each program’s PAM conﬁguration ﬁle,or to comment out some lines from/etc/pam.d/system-auth.The pamtally2 module can now be referenced directly from/etc/pam.d/system-auth.Corrected section 2.6.2.4.5 title from Ensure auditd Collects Logon and Logout Events to Record Attempts toAlter Logon and Logout Event Information.Corrected section 2.6.2.4.6 title from Ensure auditd Collects Process and Session Initiation Information toRecord Attempts to Alter Process and Session Initiation InformationNote:The above changes did not aﬀect any of the section numbering.TABLE OF CONTENTS 3Table of Contents1 Introduction131.1 General Principles............................................131.1.1 Encrypt Transmitted Data Whenever Possible........................131.1.2 Minimize Software to Minimize Vulnerability.........................131.1.3 Run Diﬀerent Network Services on Separate Systems.....................131.1.4 Conﬁgure Security Tools to Improve System Robustness...................141.1.5 Least Privilege..........................................141.2 How to Use This Guide.........................................141.2.1 Read Sections Completely and in Order............................141.2.2 Test in Non-Production Environment.............................141.2.3 Root Shell Environment Assumed...............................141.2.4 Formatting Conventions.....................................151.2.5 Reboot Required.........................................152 System-wide Conﬁguration172.1 Installing and Maintaining Software..................................172.1.1 Initial Installation Recommendations..............................172.1.1.1 Disk Partitioning....................................172.1.1.2 Boot Loader Conﬁguration..............................182.1.1.3 Network Devices....................................192.1.1.4 Root Password.....................................192.1.1.5 Software Packages...................................192.1.1.6 First-boot Conﬁguration...............................192.1.2 Updating Software........................................202.1.2.1 Conﬁgure Connection to the RHN RPM Repositories...............202.1.2.2 Disable the rhnsd Daemon..............................212.1.2.3 Obtain Software Package Updates with yum.....................212.1.3 Software Integrity Checking...................................222.1.3.1 Conﬁgure AIDE....................................232.1.3.2 Verify Package Integrity Using RPM.........................242.2 File Permissions and Masks.......................................252.2.1 Restrict Partition Mount Options................................252.2.1.1 Add nodev Option to Non-Root Local Partitions..................252.2.1.2 Add nodev,nosuid,and noexec Options to Removable Storage Partitions...262.2.1.3 Add nodev,nosuid,and noexec Options to Temporary Storage Partitions...262.2.1.4 Bind-mount/var/tmp to/tmp............................262.2.2 Restrict Dynamic Mounting and Unmounting of Filesystems................272.2.2.1 Restrict Console Device Access............................272.2.2.2 Disable USB Device Support.............................274 TABLE OF CONTENTS2.2.2.3 Disable the Automounter if Possible.........................282.2.2.4 Disable GNOME Automounting if Possible.....................292.2.2.5 Disable Mounting of Uncommon Filesystem Types.................292.2.2.6 Disable All GNOME Thumbnailers if Possible...................302.2.3 Verify Permissions on Important Files and Directories....................302.2.3.1 Verify Permissions on passwd,shadow,group and gshadow Files.........302.2.3.2 Verify that All World-Writable Directories Have Sticky Bits Set.........312.2.3.3 Find Unauthorized World-Writable Files......................312.2.3.4 Find Unauthorized SUID/SGID System Executables................312.2.3.5 Find and Repair Unowned Files...........................332.2.3.6 Verify that All World-Writable Directories Have Proper Ownership.......332.2.4 Restrict Programs from Dangerous Execution Patterns....................332.2.4.1 Set Daemon umask...................................332.2.4.2 Disable Core Dumps..................................342.2.4.3 Enable ExecShield...................................352.2.4.4 Enable Execute Disable (XD) or No Execute (NX) Support on 32-bit x86 Systems352.2.4.5 Conﬁgure Prelink...................................362.3 Account and Access Control.......................................372.3.1 Protect Accounts by Restricting Password-Based Login...................372.3.1.1 Restrict Root Logins to System Console.......................372.3.1.2 Limit su Access to the Root Account........................382.3.1.3 Conﬁgure sudo to Improve Auditing of Root Access................392.3.1.4 Block Shell and Login Access for Non-Root System Accounts...........392.3.1.5 Verify Proper Storage and Existence of Password Hashes.............402.3.1.6 Verify that No Non-Root Accounts Have UID 0..................402.3.1.7 Set Password Expiration Parameters.........................412.3.1.8 Remove Legacy ’+’ Entries from Password Files..................422.3.2 Use Unix Groups to Enhance Security.............................422.3.2.1 Create a Unique Default Group for Each User...................422.3.2.2 Create and Maintain a Group Containing All Human Users............422.3.3 Protect Accounts by Conﬁguring PAM.............................432.3.3.1 Set Password Quality Requirements.........................432.3.3.2 Set Lockouts for Failed Password Attempts.....................442.3.3.3 Use pamdeny.so to Quickly Deny Access to a Service...............452.3.3.4 Restrict Execution of userhelper to Console Users................452.3.3.5 Upgrade Password Hashing Algorithm to SHA-512.................462.3.3.6 Limit Password Reuse.................................462.3.3.7 Remove the pamccreds Package if Possible.....................472.3.4 Secure Session Conﬁguration Files for Login Accounts....................472.3.4.1 Ensure that No Dangerous Directories Exist in Root’s Path............472.3.4.2 Ensure that User Home Directories are not Group-Writable or World-Readable.482.3.4.3 Ensure that User Dot-Files are not World-writable.................482.3.4.4 Ensure that Users Have Sensible Umask Values...................492.3.4.5 Ensure that Users do not Have.netrc Files....................492.3.5 Protect Physical Console Access................................492.3.5.1 Set BIOS Password..................................502.3.5.2 Set Boot Loader Password..............................502.3.5.3 Require Authentication for Single-User Mode....................502.3.5.4 Disable Interactive Boot................................512.3.5.5 Implement Inactivity Time-out for Login Shells...................512.3.5.6 Conﬁgure Screen Locking...............................522.3.5.7 Disable Unnecessary Ports..............................53TABLE OF CONTENTS 52.3.6 Use a Centralized Authentication Service...........................532.3.7 Warning Banners for System Accesses.............................542.3.7.1 Modify the System Login Banner..........................542.3.7.2 Implement a GUI Warning Banner..........................542.4 SELinux..................................................552.4.1 How SELinux Works.......................................552.4.2 Enable SELinux.........................................562.4.2.1 Ensure SELinux is Properly Enabled........................562.4.3 Disable Unnecessary SELinux Daemons............................572.4.3.1 Disable and Remove SETroubleshoot if Possible..................572.4.3.2 Disable MCS Translation Service (mcstrans) if Possible..............572.4.3.3 Restorecon Service (restorecond)..........................582.4.4 Check for Unconﬁned Daemons.................................582.4.5 Check for Unlabeled Device Files................................582.4.6 Debugging SELinux Policy Errors...............................582.4.7 Further Strengthening......................................602.4.7.1 Strengthen the Default SELinux Boolean Conﬁguration..............612.4.7.2 Use a Stronger Policy.................................612.4.8 SELinux References.......................................622.5 Network Conﬁguration and Firewalls..................................622.5.1 Kernel Parameters which Aﬀect Networking..........................622.5.1.1 Network Parameters for Hosts Only.........................622.5.1.2 Network Parameters for Hosts and Routers.....................632.5.1.3 Ensure System is Not Acting as a Network Sniﬀer.................632.5.2 Wireless Networking.......................................642.5.2.1 Remove Wireless Hardware if Possible........................642.5.2.2 Disable Wireless Through Software Conﬁguration.................642.5.3 IPv6................................................652.5.3.1 Disable Support for IPv6 unless Needed.......................652.5.3.2 Conﬁgure IPv6 Settings if Necessary.........................662.5.4 TCP Wrapper..........................................682.5.4.1 How TCP Wrapper Protects Services........................682.5.4.2 Reject All Connections From Other Hosts if Appropriate.............692.5.4.3 Allow Connections Only From Hosts in This Domain if Appropriate.......692.5.4.4 Monitor Syslog for Relevant Connections and Failures...............692.5.4.5 Further Resources...................................702.5.5 Iptables and Ip6tables......................................702.5.5.1 Inspect and Activate Default Rules.........................702.5.5.2 Understand the Default Ruleset...........................712.5.5.3 Strengthen the Default Ruleset............................722.5.5.4 Further Strengthening.................................752.5.5.5 Further Resources...................................752.5.6 Secure Sockets Layer Support..................................762.5.6.1 Create a CA to Sign Certiﬁcates...........................762.5.6.2 Create SSL Certiﬁcates for Servers..........................772.5.6.3 Enable Client Support.................................782.5.6.4 Further Resources...................................792.5.7 Uncommon Network Protocols.................................792.5.7.1 Disable Support for DCCP..............................792.5.7.2 Disable Support for SCTP..............................802.5.7.3 Disable Support for RDS...............................802.5.7.4 Disable Support for TIPC...............................806 TABLE OF CONTENTS2.5.8 IPsec................................................802.5.8.1 Using Openswan for IPsec..............................812.6 Logging and Auditing..........................................812.6.1 Conﬁgure Logging........................................812.6.1.1 Conﬁgure Syslog....................................822.6.1.2 Conﬁgure Rsyslog...................................842.6.1.3 Logrotate.......................................852.6.1.4 Logwatch.......................................862.6.2 System Accounting with auditd................................872.6.2.1 Enable the auditd Service..............................882.6.2.2 Conﬁgure auditd Data Retention..........................882.6.2.3 Enable Auditing for Processes Which Start Prior to the Audit Daemon.....892.6.2.4 Conﬁgure auditd Rules for Comprehensive Auditing...............892.6.2.5 Summarize and Review Audit Logs using aureport................933 Services953.1 Disable All Unneeded Services at Boot Time.............................953.1.1 Determine which Services are Enabled at Boot........................953.1.2 Guidance on Default Services..................................953.1.3 Guidance for Unfamiliar Services................................963.2 Obsolete Services.............................................973.2.1 Inetd and Xinetd.........................................973.2.2 Telnet...............................................973.2.2.1 Remove Telnet Clients.................................973.2.3 Rlogin,Rsh,and Rcp......................................983.2.3.1 Remove the Rsh Server Commands from the System................983.2.3.2 Remove.rhosts Support from PAM Conﬁguration Files.............983.2.3.3 Remove the Rsh Client Commands from the System................983.2.4 NIS................................................993.2.5 TFTP Server...........................................993.2.6 Talk................................................993.2.6.1 Remove talk-server Package............................993.2.6.2 Remove talk Package.................................1003.3 Base Services...............................................1003.3.1 Installation Helper Service (firstboot)............................1003.3.2 Console Mouse Service (gpm)..................................1003.3.3 Interrupt Distribution on Multiprocessor Systems (irqbalance)..............1003.3.4 ISDN Support (isdn)......................................1013.3.4.1 Remove the isdn4k-utils Package if Possible.....................1013.3.5 Kdump Kernel Crash Analyzer (kdump)............................1013.3.6 Kudzu Hardware Probing Utility (kudzu)...........................1013.3.7 Software RAID Monitor (mdmonitor).............................1023.3.8 IA32 Microcode Utility (microcodectl)...........................1023.3.9 Network Service (network)...................................1023.3.9.1 Disable All Networking if Not Needed........................1023.3.9.2 Disable All External Network Interfaces if Not Needed..............1023.3.9.3 Disable Zeroconf Networking.............................1033.3.10 Smart Card Support (pcscd)..................................1033.3.11 SMART Disk Monitoring Support (smartd)..........................1033.3.12 Boot Caching (readaheadearly/readaheadlater).....................1033.3.13 Application Support Services..................................1043.3.13.1 D-Bus IPC Service (messagebus)..........................104TABLE OF CONTENTS 73.3.13.2 HAL Daemon (haldaemon)..............................1043.3.14 Bluetooth Support........................................1053.3.14.1 Bluetooth Host Controller Interface Daemon (bluetooth).............1053.3.14.2 Bluetooth Input Devices (hidd)...........................1053.3.14.3 Disable Bluetooth Kernel Modules..........................1063.3.15 Power Management Support..................................1063.3.15.1 Advanced Power Management Subsystem (apmd)..................1063.3.15.2 Advanced Conﬁguration and Power Interface (acpid)...............1063.3.15.3 CPU Throttling (cpuspeed).............................1073.3.16 Infrared Communications (irda)................................1073.3.16.1 Disable the irda Service if Possible..........................1073.3.16.2 Remove the irda-utils Package if Possible......................1073.3.17 Raw Devices (rawdevices)...................................1073.3.17.1 Disable the Raw Devices Daemon if Possible....................1073.4 Cron and At Daemons..........................................1073.4.1 Disable anacron if Possible...................................1083.4.2 Restrict Permissions on Files Used by cron..........................1083.4.3 Disable at if Possible......................................1093.4.4 Restrict at and cron to Authorized Users...........................1093.5 SSH Server................................................1093.5.1 Disable OpenSSH Server if Possible..............................1093.5.1.1 Disable and Remove OpenSSH Software.......................1103.5.1.2 Remove SSH Server iptables Firewall Exception.................1103.5.2 Conﬁgure OpenSSH Server if Necessary............................1103.5.2.1 Ensure Only Protocol 2 Connections Allowed....................1103.5.2.2 Limit Users’ SSH Access...............................1103.5.2.3 Set Idle Timeout Interval for User Logins......................1113.5.2.4 Disable.rhosts Files.................................1113.5.2.5 Disable Host-Based Authentication.........................1113.5.2.6 Disable root Login via SSH.............................1113.5.2.7 Disable Empty Passwords...............................1123.5.2.8 Enable a Warning Banner...............................1123.5.2.9 Do Not Allow Users to Set Environment Options..................1123.5.2.10 Use Only Approved Ciphers in Counter Mode...................1123.5.2.11 Strengthen Firewall Conﬁguration if Possible....................1133.6 X Window System............................................1133.6.1 Disable X Windows if Possible.................................1133.6.1.1 Disable X Windows at System Boot.........................1133.6.1.2 Remove X Windows from the System if Possible..................1133.6.1.3 Lock Down X Windows startx Conﬁguration if Necessary............1143.6.2 Conﬁgure X Windows if Necessary...............................1143.6.2.1 Create Warning Banners for GUI Login Users...................1153.7 Avahi Server...............................................1153.7.1 Disable Avahi Server if Possible.................................1153.7.1.1 Disable Avahi Server Software............................1153.7.1.2 Remove Avahi Server iptables Firewall Exception................1153.7.2 Conﬁgure Avahi if Necessary..................................1163.7.2.1 Serve Only via Required Protocol..........................1163.7.2.2 Check Responses’ TTL Field.............................1163.7.2.3 Prevent Other Programs from Using Avahi’s Port.................1163.7.2.4 Disable Publishing if Possible.............................1173.7.2.5 Restrict Published Information............................1178 TABLE OF CONTENTS3.8 Print Support...............................................1173.8.1 Disable the CUPS Service if Possible..............................1183.8.2 Disable Firewall Access to Printing Service if Possible....................1183.8.3 Conﬁgure the CUPS Service if Necessary...........................1183.8.3.1 Limit Printer Browsing................................1183.8.3.2 Disable Print Server Capabilities if Possible.....................1193.8.3.3 Limit Access to the Web Administration Interface.................1203.8.3.4 Take Further Security Measures When Appropriate................1203.8.4 The HP Linux Imaging and Printing (HPLIP) Toolkit....................1203.8.4.1 Disable HPLIP Service if Possible..........................1213.9 DHCP...................................................1213.9.1 Disable DHCP Client if Possible................................1213.9.2 Conﬁgure DHCP Client if Necessary..............................1223.9.2.1 Minimize the DHCP-Conﬁgured Options......................1223.9.3 Disable DHCP Server if Possible................................1233.9.4 Conﬁgure the DHCP Server if Necessary............................1233.9.4.1 Do Not Use Dynamic DNS..............................1233.9.4.2 Deny Decline Messages................................1243.9.4.3 Deny BOOTP Queries.................................1243.9.4.4 Minimize Served Information.............................1243.9.4.5 Conﬁgure Logging...................................1253.9.4.6 Further Resources...................................1253.10 Network Time Protocol.........................................1253.10.1 Select NTP Software.......................................1253.10.2 Conﬁgure Reference NTP if Appropriate............................1263.10.2.1 Conﬁgure an NTP Client...............................1263.10.2.2 Conﬁgure an NTP Server...............................1273.10.3 Conﬁgure OpenNTPD if Appropriate.............................1283.10.3.1 Obtain NTP Software.................................1283.10.3.2 Conﬁgure an SNTP Client..............................1293.10.3.3 Conﬁgure an SNTP Server..............................1293.11 Mail Transfer Agent...........................................1303.11.1 Select Mail Server Software and Conﬁguration........................1303.11.1.1 Select Postﬁx as Mail Server Software........................1313.11.1.2 Select Sendmail as Mail Server Software.......................1313.11.2 Conﬁgure SMTP For Mail Clients...............................1323.11.2.1 Conﬁgure Postﬁx for Submission-Only Mode....................1323.11.2.2 Conﬁgure Sendmail for Submission-Only Mode...................1323.11.3 Strategies for MTA Security...................................1333.11.3.1 Use Resource Limits to Mitigate Denial of Service.................1333.11.3.2 Conﬁgure SMTP Greeting Banner..........................1333.11.3.3 Control Mail Relaying.................................1333.11.4 Conﬁgure Operating System to Protect Mail Server.....................1343.11.4.1 Use Separate Hosts for External and Internal Mail if Possible...........1343.11.4.2 Protect the MTA Host from User Access......................1343.11.4.3 Restrict Remote Access to the Mail Spool......................1343.11.4.4 Conﬁgure iptables to Allow Access to the Mail Server..............1353.11.4.5 Verify System Logging and Log Permissions for Mail................1353.11.4.6 Conﬁgure SSL Certiﬁcates for Use with SMTP AUTH...............1353.11.5 Conﬁgure Sendmail Server if Necessary............................1363.11.5.1 Limit Denial of Service Attacks............................1373.11.5.2 Conﬁgure SMTP Greeting Banner..........................137TABLE OF CONTENTS 93.11.5.3 Control Mail Relaying.................................1373.11.6 Conﬁgure Postﬁx if Necessary..................................1393.11.6.1 Limit Denial of Service Attacks............................1393.11.6.2 Conﬁgure SMTP Greeting Banner..........................1403.11.6.3 Control Mail Relaying.................................1403.11.6.4 Require TLS for SMTP AUTH............................1423.12 LDAP...................................................1423.12.1 Use OpenLDAP to Provide LDAP Service if Possible.....................1433.12.2 Conﬁgure OpenLDAP Clients..................................1433.12.2.1 Conﬁgure the Appropriate LDAP Parameters for the Domain...........1433.12.2.2 Conﬁgure LDAP to Use TLS for All Transactions.................1433.12.2.3 Conﬁgure Authentication Services to Use OpenLDAP...............1443.12.3 Conﬁgure OpenLDAP Server..................................1453.12.3.1 Install OpenLDAP Server RPM...........................1453.12.3.2 Conﬁgure Domain-Speciﬁc Parameters.......................1453.12.3.3 Conﬁgure an LDAP Root Password.........................1453.12.3.4 Conﬁgure the LDAP Server to Require TLS for All Transactions.........1463.12.3.5 Install Account Information into the LDAP Database...............1483.12.3.6 Conﬁgure slapd to Protect Authentication Information..............1503.12.3.7 Correct Permissions on LDAP Server Files.....................1513.12.3.8 Conﬁgure iptables to Allow Access to the LDAP Server.............1513.12.3.9 Conﬁgure Logging for LDAP.............................1513.13 NFS and RPC..............................................1523.13.1 Disable All NFS Services if Possible..............................1523.13.1.1 Disable Services Used Only by NFS.........................1523.13.1.2 Disable netfs if Possible...............................1533.13.1.3 Disable RPC Portmapper if Possible.........................1533.13.2 Conﬁgure All Machines which Use NFS............................1543.13.2.1 Make Each Machine a Client or a Server,not Both.................1543.13.2.2 Restrict Access to the Portmapper..........................1543.13.2.3 Conﬁgure NFS Services to Use Fixed Ports.....................1543.13.3 Conﬁgure NFS Clients......................................1553.13.3.1 Disable NFS Server Daemons.............................1553.13.3.2 Mount Remote Filesystems with Restrictive Options................1553.13.4 Conﬁgure NFS Servers......................................1553.13.4.1 Conﬁgure the Exports File Restrictively.......................1563.13.4.2 Allow Legitimate NFS Clients to Access the Server................1573.14 DNS Server................................................1573.14.1 Disable DNS Server if Possible.................................1573.14.2 Run the BIND9 Software if DNS Service is Needed......................1583.14.3 Isolate DNS from Other Services................................1583.14.3.1 Run DNS Software on Dedicated Servers if Possible................1583.14.3.2 Run DNS Software in a chroot Jail.........................1583.14.3.3 Conﬁgure Firewalls to Protect the DNS Server...................1593.14.4 Protect DNS Data from Tampering or Attack.........................1593.14.4.1 Run Separate DNS Servers for External and Internal Queries if Possible.....1593.14.4.2 Use Views to Partition External and Internal Information if Necessary......1603.14.4.3 Disable Zone Transfers from the Nameserver if Possible..............1613.14.4.4 Authenticate Zone Transfers if Necessary......................1623.14.4.5 Disable Dynamic Updates if Possible........................1633.15 FTP Server................................................1633.15.1 Disable vsftpd if Possible....................................16310 TABLE OF CONTENTS3.15.2 Use vsftpd to Provide FTP Service if Necessary.......................1633.15.3 Conﬁgure vsftpd Securely...................................1643.15.3.1 Enable Logging of All FTP Transactions......................1643.15.3.2 Create Warning Banners for All FTP Users.....................1643.15.3.3 Restrict the Set of Users Allowed to Access FTP..................1643.15.3.4 Disable FTP Uploads if Possible...........................1653.15.3.5 Place the FTP Home Directory on its Own Partition...............1663.15.3.6 Conﬁgure Firewalls to Protect the FTP Server...................1663.16 Web Server................................................1663.16.1 Disable Apache if Possible....................................1663.16.2 Install Apache if Necessary...................................1673.16.2.1 Install Apache Software Safely............................1673.16.2.2 Conﬁrm Minimal Built-in Modules..........................1673.16.3 Secure the Apache Conﬁguration................................1673.16.3.1 Restrict Information Leakage.............................1673.16.3.2 Minimize Loadable Modules.............................1683.16.3.3 Minimize Conﬁguration Files Included........................1733.16.3.4 Directory Restrictions.................................1733.16.3.5 Conﬁgure Authentication if Applicable.......................1743.16.3.6 Limit Available Methods...............................1763.16.4 Use Appropriate Modules to Improve Apache’s Security...................1763.16.4.1 Deploy modssl....................................1763.16.4.2 Deploy modsecurity.................................1783.16.4.3 Use Denial-of-Service Protection Modules......................1793.16.4.4 Conﬁgure Supplemental Modules Appropriately..................1793.16.5 Conﬁgure Operating System to Protect Web Server.....................1803.16.5.1 Restrict File and Directory Access..........................1803.16.5.2 Conﬁgure iptables to Allow Access to the Web Server..............1813.16.5.3 Run Apache in a chroot Jail if Possible.......................1813.16.6 Additional Resources.......................................1813.17 IMAP and POP3 Server.........................................1813.17.1 Disable Dovecot if Possible...................................1813.17.2 Conﬁgure Dovecot if Necessary.................................1823.17.2.1 Support Only the Necessary Protocols........................1823.17.2.2 Enable SSL Support..................................1823.17.2.3 Enable Dovecot Options to Protect Against Code Flaws..............1843.17.2.4 Allow IMAP Clients to Access the Server......................1843.18 Samba (SMB) Microsoft Windows File Sharing Server........................1843.18.1 Disable Samba if Possible....................................1853.18.2 Conﬁgure Samba if Necessary..................................1853.18.2.1 Testing the Samba Conﬁguration File........................1853.18.2.2 Choosing the Appropriate security Parameter..................1853.18.2.3 Disable Guest Access and Local Login Support...................1873.18.2.4 Disable Root Access..................................1873.18.2.5 Set the Allowed Authentication Negotiation Levels.................1873.18.2.6 Let Domain Controllers Create Machine Trust Accounts On-the-Fly.......1883.18.2.7 Restrict Access to the [IPC ] Share.........................1883.18.2.8 Restrict File Sharing.................................1883.18.2.9 Require Server SMB Packet Signing.........................1893.18.2.10 Require Client SMB Packet Signing,if using smbclient..............1893.18.2.11 Require Client SMB Packet Signing,if using mount.cifs.............1893.18.2.12 Restrict Printer Sharing................................189TABLE OF CONTENTS 113.18.2.13 Conﬁgure iptables to Allow Access to the Samba Server.............1903.18.3 Avoid the Samba Web Administration Tool (SWAT).....................1903.19 Proxy Server...............................................1913.19.1 Disable Squid if Possible.....................................1913.19.2 Conﬁgure Squid if Necessary..................................1913.19.2.1 Listen on Uncommon Port..............................1913.19.2.2 Verify Default Secure Settings............................1913.19.2.3 Change Default Insecure Settings..........................1923.19.2.4 Conﬁgure Authentication if Applicable.......................1933.19.2.5 Access Control Lists (ACL)..............................1933.19.2.6 Conﬁgure Internet Cache Protocol (ICP) if Necessary...............1953.19.2.7 Conﬁgure iptables to Allow Access to the Proxy Server.............1953.19.2.8 Forward Log Messages to Syslog Daemon......................1953.19.2.9 Do Not Run as Root.................................1963.20 SNMP Server...............................................1973.20.1 Disable SNMP Server if Possible................................1973.20.2 Conﬁgure SNMP Server if Necessary..............................1973.20.2.1 Further Resources...................................19712 TABLE OF CONTENTS131.IntroductionThe purpose of this guide is to provide security conﬁguration recommendations for the Red Hat Enterprise Linux(RHEL) 5 operating system.The guidance provided here should be applicable to all variants (Desktop,Server,Advanced Platform) of the product.Recommended settings for the basic operating system are provided,as wellas for many commonly-used services that the system can host in a network environment.The guide is intended for system administrators.Readers are assumed to possess basic system administrationskills for Unix-like systems,as well as some familiarity with Red Hat’s documentation and administration con-ventions.Some instructions within this guide are complex.All directions should be followed completely and withunderstanding of their eﬀects in order to avoid serious adverse eﬀects on the system and its security.1.1 General PrinciplesThe following general principles motivate much of the advice in this guide and should also inﬂuence any conﬁg-uration decisions that are not explicitly covered.1.1.1 Encrypt Transmitted Data Whenever PossibleData transmitted over a network,whether wired or wireless,is susceptible to passive monitoring.Wheneverpractical solutions for encrypting such data exist,they should be applied.Even if data is expected to betransmitted only over a local network,it should still be encrypted.Encrypting authentication data,such aspasswords,is particularly important.Networks of RHEL5 machines can and should be conﬁgured so that nounencrypted authentication data is ever transmitted between machines.1.1.2 Minimize Software to Minimize VulnerabilityThe simplest way to avoid vulnerabilities in software is to avoid installing that software.On RHEL,the RPMPackage Manager (originally Red Hat Package Manager,abbreviated RPM) allows for careful management of theset of software packages installed on a system.Installed software contributes to system vulnerability in severalways.Packages that include setuid programs may provide local attackers a potential path to privilege escala-tion.Packages that include network services may give this opportunity to network-based attackers.Packagesthat include programs which are predictably executed by local users (e.g.after graphical login) may provideopportunities for trojan horses or other attack code to be run undetected.The number of software packagesinstalled on a system can almost always be signiﬁcantly pruned to include only the software for which there isan environmental or operational need.1.1.3 Run Diﬀerent Network Services on Separate SystemsWhenever possible,a server should be dedicated to serving exactly one network service.This limits the numberof other services that can be compromised in the event that an attacker is able to successfully exploit a softwareﬂaw in one network service.14 CHAPTER 1.INTRODUCTION1.1.4 Conﬁgure Security Tools to Improve System RobustnessSeveral tools exist which can be eﬀectively used to improve a system’s resistance to and detection of unknownattacks.These tools can improve robustness against attack at the cost of relatively little conﬁguration eﬀort.In particular,this guide recommends and discusses the use of Iptables for host-based ﬁrewalling,SELinux forprotection against vulnerable services,and a logging and auditing infrastructure for detection of problems.1.1.5 Least PrivilegeGrant the least privilege necessary for user accounts and software to perform tasks.For example,do not allowusers except those that need administrator access to use sudo.Another example is to limit logins on serversystems to only those administrators who need to log into them in order to perform administration tasks.UsingSELinux also follows the principle of least privilege:SELinux policy can conﬁne software to perform only actionson the system that are speciﬁcally allowed.This can be far more restrictive than the actions permissible by thetraditional Unix permissions model.1.2 How to Use This GuideReaders should heed the following points when using the guide.1.2.1 Read Sections Completely and in OrderEach section may build on information and recommendations discussed in prior sections.Each section shouldbe read and understood completely;instructions should never be blindly applied.Relevant discussion will occurafter instructions for an action.The system-level conﬁguration guidance in Chapter2must be applied to allmachines.The guidance for individual services in Chapter3must be considered for all machines as well:applythe guidance if the machine is either a server or a client for that service,and ensure that the service is disabledaccording to the instructions provided if the machine is neither a server nor a client.1.2.2 Test in Non-Production EnvironmentThis guidance should always be tested in a non-production environment before deployment.This test environmentshould simulate the setup in which the system will be deployed as closely as possible.1.2.3 Root Shell Environment AssumedMost of the actions listed in this document are written with the assumption that they will be executed by theroot user running the/bin/bash shell.Commands preceded with a hash mark (#) assume that the administratorwill execute the commands as root,i.e.apply the command via sudo whenever possible,or use su to gain rootprivileges if sudo cannot be used.Commands which can be executed as a non-root user are are preceded by adollar sign ( ) prompt.151.2.4 Formatting ConventionsCommands intended for shell execution,as well as conﬁguration ﬁle text,are featured in a monospace font.Italics are used to indicate instances where the system administrator must substitute the appropriate infor-mation into a command or conﬁguration ﬁle.Common Conﬁguration Enumeration (CCE) identiﬁers are presented at the lower right corner of those sectionsfor which an associated identiﬁer exists.More information about CCE is available athttp://cce.mitre.org.1.2.5 Reboot RequiredA system reboot is implicitly required after some actions in order to complete the reconﬁguration of the system.In many cases,the changes will not take eﬀect until a reboot is performed.In order to ensure that changes areapplied properly and to test functionality,always reboot the system after applying a set of recommendationsfrom this guide.16 CHAPTER 1.INTRODUCTION172.System-wide Conﬁguration2.1 Installing and Maintaining SoftwareThe following sections contain information on security-relevant choices during the initial operating system instal-lation process and the setup of software updates.2.1.1 Initial Installation RecommendationsThe recommendations here apply to a clean installation of the system,where any previous installations are wipedout.The sections presented here are in the same order that the installer presents,but only installation choiceswith security implications are covered.Many of the conﬁguration choices presented here can also be applied afterthe system is installed.The choices can also be automatically applied via Kickstart ﬁles,as covered in [8].2.1.1.1 Disk PartitioningSome system directories should be placed on their own partitions (or logical volumes).This allows for betterseparation and protection of data.The installer’s default partitioning scheme creates separate partitions (or logical volumes) for/,/boot,andswap.If starting with any of the default layouts,check the box to “Review and modify partitioning.” Thisallows for the easy creation of additional logical volumes inside the volume group already created,though it may require making/’s logical volume smaller to create space.In general,using logicalvolumes is preferable to using partitions because they can be more easily adjusted later.If creating a custom layout,create the partitions mentioned in the previous paragraph (which theinstaller will require anyway),as well as separate ones described in the following sections.If a system has already been installed,and the default partitioning scheme was used,it is possible but nontrivialto modify it to create separate logical volumes for the directories listed above.The Logical Volume Manager(LVM) makes this possible.See the LVM HOWTO athttp://tldp.org/HOWTO/LVM-HOWTO/for more detailedinformation on LVM.2.1.1.1.1 Create Separate Partition or Logical Volume for/tmpThe/tmp directory is a world-writable directory used for temporary ﬁle storage.Ensure that it has its ownpartition or logical volume.CCE 14161-4Because software may need to use/tmp to temporarily store large ﬁles,ensure that it is of adequate size.For amodern,general-purpose system,10GB should be adequate.Smaller or larger sizes could be used,depending onthe availability of space on the drive and the system’s operating requirements.18 CHAPTER 2.SYSTEM-WIDE CONFIGURATION2.1.1.1.2 Create Separate Partition or Logical Volume for/varThe/var directory is used by daemons and other system services to store frequently-changing data.It is notuncommon for the/var directory to contain world-writable directories,installed by other software packages.Ensure that/var has its own partition or logical volume.CCE 14777-7Because the yum package manager and other software uses/var to temporarily store large ﬁles,ensure that it isof adequate size.For a modern,general-purpose system,10GB should be adequate.2.1.1.1.3 Create Separate Partition or Logical Volume for/var/logSystem logs are stored in the/var/log directory.Ensure that it has its own partition or logical volume.Make certain that it is large enough to store all the logs that will be written there.CCE 14011-1See Section2.6for more information about logging and auditing.2.1.1.1.4 Create Separate Partition or Logical Volume for/var/log/auditAudit logs are stored in the/var/log/audit directory.Ensure that it has its own partition or logical volume.Make absolutely certain that it is large enough to store all audit logs that will be created by the auditingdaemon.CCE 14171-3See2.6.2.2for discussion on deciding on an appropriate size for the volume.2.1.1.1.5 Create Separate Partition or Logical Volume for/home if Using Local HomeDirectoriesIf user home directories will be stored locally,create a separate partition for/home.If/home will be mountedfrom another system such as an NFS server,then creating a separate partition is not necessary at this time,and the mountpoint can instead be conﬁgured later.CCE 14559-92.1.1.2 Boot Loader ConﬁgurationCheck the box to “Use a boot loader password” and create a password.Once this password is set,anyonewho wishes to change the boot loader conﬁguration will need to enter it.More information is available inSection2.3.5.2.Assigning a boot loader password prevents a local user with physical access from altering the boot loader conﬁg-uration at system startup.192.1.1.3 Network DevicesThe default network device conﬁguration uses DHCP,which is not recommended.Unless use of DHCP is absolutely necessary,click the “Edit” button and:Uncheck “Use Dynamic IP conﬁguration (DHCP).”Uncheck “Enable IPv4 Support” if the system does not require IPv4.(This is uncommon.)Uncheck “Enable IPv6 Support” if the system does not require IPv6.Enter appropriate IPv4 and IPv6 addresses and preﬁxes as required.With the DHCP setting disabled,the hostname,gateway,and DNS servers should then be assigned on themain screen.Sections3.9.1and3.9.2contain more information on network conﬁguration and the use of DHCP.2.1.1.4 Root PasswordThe security of the entire system depends on the strength of the root password.The password should be atleast 12 characters long,and should include a mix of capitalized and lowercase letters,special characters,andnumbers.It should also not be based on any dictionary word.2.1.1.5 Software PackagesUncheck all package groups,including the package groups “Software Development” and “Web Server,” unlessthere is a speciﬁc requirement to install software using the system installer.If the machine will be used as a webserver,it is preferable to manually install the necessary RPMs instead of installing the full “Web Server” packagegroup.See Section3.16for installation and conﬁguration details.Use the “Customize now” radio box to prune package groups as much as possible.This brings up a two-columnview of categories and package groups.If appropriate,uncheck “X Window System” in the “Base System”category to avoid installing X entirely.Any other package groups not necessary for system operation should alsobe unchecked.Much ﬁner-grained package selection is possible via Kickstart as described in [8].2.1.1.6 First-boot ConﬁgurationThe system presents more conﬁguration options during the ﬁrst boot after installation.For the screens listed,implement the security-related recommendations:ScreenRecommendationFirewallLeave set to “Enabled.” Only check the “Trusted Services” that this systemneeds to serve.Uncheck the default selection of SSH if the system does notneed to serve SSH.SELinuxLeave SELinux set to “Enforcing” mode.KdumpLeave Kdump oﬀ unless the feature is required,such as for kernel develop-ment and testing.20 CHAPTER 2.SYSTEM-WIDE CONFIGURATIONScreenRecommendationSet Up Software UpdatesIf the systemis connected to the Internet now,click “Yes,I’d like to registernow.” This will require a connection to either the Red Hat Network serversor their proxies or satellites.This can also be conﬁgured later as describedin Section2.1.2.1.Create UserIf the system will require a local user account,it can be created here.Even if the system will be using a network-wide authentication systemas described in Section2.3.6,do not click on the “Use Network Login...”button.Manually applying conﬁguration later is preferable.2.1.2 Updating SoftwareThe yum command line tool is used to install and update software packages.Yum replaces the up2date utilityused in previous system releases.The system also provides two graphical package managers,pirut and pup.Thepirut tool is a graphical front-end for yum that allows users to install and update packages while pup is a simpleupdate tool for packages that are already installed.In the Applications menu,pirut is labeled Add/RemoveSoftware and pup is labeled Software Updater.It is recommended that these tools be used to keep systems up to date with the latest security patches.2.1.2.1 Conﬁgure Connection to the RHN RPM RepositoriesThe ﬁrst step in conﬁguring a system for updates is to register with the Red Hat Network (RHN).For mostsystems,this is done during the initial installation.Successfully registered systems will appear on the RHNweb site.If the system is not listed,run the Red Hat Network Registration tool,which can be found in theApplications menu under System Tools or on the command line:#rhnregisterFollowthe prompts on the screen.If successful,the systemwill appear on the RHNweb site and be subscribedto one or more software update channels.Additionally,a new daemon,rhnsd,will be enabled.If the system will not have access to the Internet,it will not be able to directly subscribe to the RHN updaterepository.Updates will have to be downloaded from the RHN web site manually.The command line tool yumand the graphical front-ends pirut and pup can be conﬁgured to handle this situation.2.1.2.1.1 Ensure Red Hat GPG Key is InstalledTo ensure that the system can cryptographically verify update packages (and also connect to the Red HatNetwork to receive them if desired),run the following command to ensure that the system has the Red HatGPG key properly installed:$ rpm -q --queryformat"%{SUMMARY}\n"gpg-pubkeyThe command should return the string:gpg(Red Hat,Inc.(release key <security@redhat.com>)21CCE 14440-2To verify that the Red Hat GPG key itself has not been tampered with,its ﬁngerprint can be compared to theone from Red Hat’s web site athttp://www.redhat.com/security/team/key.The following command can beused to print the installed release key’s ﬁngerprint,which is actually contained in the ﬁle referenced below:$ gpg --quiet --with-fingerprint/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaseMore information on package signing is also available athttps://fedoraproject.org/keys.2.1.2.2 Disable the rhnsd DaemonThe rhnsd daemon polls the Red Hat Network web site for scheduled actions.Unless it is actually necessaryto schedule updates remotely through the RHN website,it is recommended that the service be disabled.#chkconfig rhnsd offCCE 3416-5The rhnsd daemon is enabled by default,but until the system has been registered with the Red Hat Network,itwill not run.However,once the registration process is complete,the rhnsd daemon will run in the backgroundand periodically call the rhncheck utility.It is the rhncheck utility that communicates with the Red HatNetwork web site.This utility is not required for the system to be able to access and install system updates.Once the systemhas been registered,either use the provided yum-updatesd service or create a cron job to automatically applyupdates.2.1.2.3 Obtain Software Package Updates with yumThe yum update utility can be run by hand from the command line,called through one of the provided front-endtools,or conﬁgured to run automatically at speciﬁed intervals.2.1.2.3.1 Manually Check for Package UpdatesThe following command prints a list of packages that need to be updated:#yum check-updateTo actually install these updates,run:#yum update2.1.2.3.2 Conﬁgure Automatic Update Retrieval and Installation with CronThe yum-updatesd service is not mature enough for an enterprise environment,and the service may introduceunnecessary overhead.When possible,replace this service with a cron job that calls yum directly.22 CHAPTER 2.SYSTEM-WIDE CONFIGURATIONDisable the yum-updatesd service:#chkconfig yum-updatesd offCreate the ﬁle yum.cron,make it executable,and place it in/etc/cron.daily:#!/bin/sh/usr/bin/yum -R 120 -e 0 -d 0 -y update yum/usr/bin/yum -R 10 -e 0 -d 0 -y updateCCE 4218-4This particular script instructs yum to update any packages it ﬁnds.Placing the script in/etc/cron.dailyensures its daily execution.To only apply updates once a week,place the script in/etc/cron.weekly instead.2.1.2.3.3 Ensure Package Signature Checking is Globally ActivatedThe gpgcheck option should be used to ensure that checking of an RPM package’s signature always occurs priorto its installation.To force yum to check package signatures before installing them,ensure that the following line appears in/etc/yum.conf in the [main] section:gpgcheck=1CCE 14914-62.1.2.3.4 Ensure Package Signature Checking is Not Disabled For Any ReposTo ensure that signature checking is not disabled for any repos,ensure that the following line DOES NOTappear in any repo conﬁguration ﬁles in/etc/yum.repos.d or elsewhere:gpgcheck=0CCE 14813-02.1.3 Software Integrity CheckingThe AIDE (Advanced Intrusion Detection Environment) software is included with the systemto provide softwareintegrity checking.It is designed to be a replacement for the well-known Tripwire integrity checker.The RPMsoftware also includes the ability to compare the hashes of installed ﬁles with those in its own metadata database.Integrity checking cannot prevent intrusions into your system,but can detect that they have occurred.Suchintegrity checking software should be conﬁgured before the system is deployed and able to provides services tousers.Ideally,the integrity checking database would be built before the system is connected to any network,though this may prove impractical due to registration and software updates.232.1.3.1 Conﬁgure AIDERequirements for software integrity checking should be deﬁned by policy,and this is highly dependent on theenvironment in which the system will be used.As such,a general strategy for implementing integrity checking isprovided,but precise recommendations (such as to check a particular ﬁle) cannot be.Documentation for AIDE,including the quick-start on which this advice is based,is available in/usr/share/doc/aide-0.12.The prelinking feature can interfere with the operation of AIDE,because it changes binaries in anattempt to decrease their startup time.Set PRELINKING=no inside/etc/sysconfig/prelink andrun/usr/sbin/prelink -ua to restore binaries to a non-prelinked state and prevent prelinkingfrom causing false positive results from AIDE.2.1.3.1.1 Install AIDEAIDE is not installed by default.Install it with the command:#yum install aideCCE 4209-32.1.3.1.2 Customize Conﬁguration FileCustomize/etc/aide.conf to meet your requirements.The default conﬁguration is acceptable for manyenvironments.The man page aide.conf(5) provides detailed information about the conﬁguration ﬁle format.2.1.3.1.3 Build,Store,and Test DatabaseGenerate a new database:#/usr/sbin/aide --initBy default,the database will be written to the ﬁle/var/lib/aide/aide.db.new.gz.The database,as well as the conﬁguration ﬁle/etc/aide.conf and the binary/usr/sbin/aide (or hashesof these ﬁles) should be copied and stored in a secure location.Storing these copies or hashes on read-onlymedia may provide further conﬁdence that they will not be altered.Install the newly-generated database:#cp/var/lib/aide/aide.db.new.gz/var/lib/aide/aide.db.gzRun a manual check:#/usr/sbin/aide --checkIf this check produces any unexpected output,investigate.24 CHAPTER 2.SYSTEM-WIDE CONFIGURATION2.1.3.1.4 Implement Periodic Execution of Integrity CheckingBy default,AIDE does not install itself for periodic execution.Implement checking with whatever frequency is required by your security policy.A once-daily check may besuitable for many environments.For example,to implement a daily execution of AIDE at 4:05am,add thefollowing line to/etc/crontab:05 4 * * * root/usr/sbin/aide --checkAIDE output may be an indication of an attack against your system,or it may be the result of somethinginnocuous such as an administrator’s conﬁguration change or a software update.The steps in Section2.1.3.1.3should be repeated when conﬁguration changes or software updates necessitate.This will certainly be necessaryafter applying guidance later in this guide.2.1.3.1.5 Manually Verify Integrity of AIDEBecause integrity checking is a means of intrusion detection and not intrusion prevention,it cannot be guaranteedthat the AIDE binaries,conﬁguration ﬁles,or database have not been tampered with.An attacker could disableor alter these ﬁles after a successful intrusion.Because of this,manual and frequent checks on these ﬁles isrecommended.The safely stored copies (or hashes) of the database,binary,and conﬁguration ﬁle were createdearlier for this purpose.Manually verify the integrity of the AIDE binaries,conﬁguration ﬁle,and database.Possibilities for doingso include:1.Use sha1sum or md5sum to generate checksums on the ﬁles and then visually compare them to thosegenerated from the safely stored versions.This does not,of course,preclude the possibility that suchoutput could also be faked.2.Mount the stored versions on read-only media and run/bin/diff to verify that there are no diﬀerencesbetween the ﬁles.3.Copying the ﬁles to another system and performing the hash or ﬁle comparisons there may impartadditional conﬁdence that the manual veriﬁcation process is not being interfered with.2.1.3.2 Verify Package Integrity Using RPMThe RPM package management system includes the ability to verify the integrity of installed packages by com-paring the installed ﬁles with information about the ﬁles taken from the package metadata stored in the RPMdatabase.Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database asdescribed above),this check can still reveal modiﬁcation of important ﬁles.To determine which ﬁles on the system diﬀer from what is expected by the RPM database:#rpm -qVaA “c” in the second column indicates that a ﬁle is a conﬁguration ﬁle (and may be expected to change).Inorder to exclude conﬁguration ﬁles from this list,run:#rpm -qVa | awk  $2!="c"{print $0}25CCE 14931-0The man page rpm(8) describes the format of the output.Any ﬁles that do not match the expected outputdemand further investigation if the system is being seriously examined.This check could also be run as a cronjob.2.2 File Permissions and MasksTraditional Unix security relies heavily on ﬁle and directory permissions to prevent unauthorized users fromreading or modifying ﬁles to which they should not have access.Adhere to the principle of least privilege —conﬁgure each ﬁle,directory,and ﬁlesystem to allow only the access needed in order for that ﬁle to serve itspurpose.However,Linux systems contain a large number of ﬁles,so it is often prohibitively time-consuming to ensure thatevery ﬁle on a machine has exactly the permissions needed.This section introduces several permission restrictionswhich are almost always appropriate for system security,and which are easy to test and correct.Note:Several of the commands in this section search ﬁlesystems for ﬁles or directories with certain characteristics,and are intended to be run on every local ext2 or ext3 partition on a given machine.When the variable PARTappears in one of the commands below,it means that the command is intended to be run repeatedly,with thename of each local partition substituted for PART in turn.The following command prints a list of ext2 and ext3 partitions on a given machine:$ mount -t ext2,ext3 | awk  {print $3}If your site uses a local ﬁlesystem type other than ext2 or ext3,you will need to modify this command.2.2.1 Restrict Partition Mount OptionsSystem partitions can be mounted with certain options which limit what ﬁles on those partitions can do.Theseoptions are set in the ﬁle/etc/fstab,and can be used to make certain types of malicious behavior more diﬃcult.2.2.1.1 Add nodev Option to Non-Root Local PartitionsEdit the ﬁle/etc/fstab.The important columns for purposes of this section are column 2 (mount point),column 3 (ﬁlesystem type),and column 4 (mount options).For any line which satisﬁes all of the conditions:The ﬁlesystem type is ext2 or ext3The mount point is not/add the text “,nodev” to the list of mount options in column 4.CCE 4249-9The nodev option prevents users from mounting unauthorized devices on any partition which is known not tocontain any authorized devices.The root partition typically contains the/dev directory,which is the primarylocation for authorized devices,so this option should not be set on/.However,if system programs are being run in chroot jails,this advice may need to be modiﬁed further,since itis often necessary to create device ﬁles inside the chroot directory for use by the restricted program.26 CHAPTER 2.SYSTEM-WIDE CONFIGURATION2.2.1.2 Add nodev,nosuid,and noexec Options to Removable Storage PartitionsEdit the ﬁle/etc/fstab.Filesystems which represent removable media can be located by ﬁnding lines whosemount points contain strings like floppy or cdrom.For each line representing a removable media mountpoint,add the text noexec,nodev,nosuid to the list ofmount options in column 4.CCE 3522-0,4275-4,4042-8Filesystems mounted on removable media also provide a way for malicious executables to potentially enter thesystem,and should be mounted with options which grant least privilege.Users should not be allowed to introducearbitrary devices or setuid programs to a system.In addition,while users are usually allowed to add executableprograms to a system,the noexec option prevents code from being executed directly from the media itself,andmay therefore provide a line of defense against certain types of worms or malicious code.Mount points in/etc/fstab may not exist on a modern system with typical hardware.The dynamic mountingmechanism may be controlled through other means (which may or may not allow control of the mount options).Adding noexec will cause problems if it is necessary in your environment to execute code from removable media,though that behavior carries risks as well.2.2.1.3 Add nodev,nosuid,and noexec Options to Temporary Storage PartitionsTemporary storage directories such as/tmp and/dev/shm potentially provide storage space for malicious exe-cutables.Although mount options options cannot prevent interpreted code stored there from getting executedby a program in another partition,using certain mount options can be disruptive to malicious code.2.2.1.3.1 Add nodev,nosuid,and noexec Options to/tmpEdit the ﬁle/etc/fstab.Add the text,nodev,nosuid,noexec to the list of mount options in column 4.CCE 14412-1,14940-1,14927-82.2.1.3.2 Add nodev,nosuid,and noexec Options to/dev/shmEdit the ﬁle/etc/fstab.Add the text,nodev,nosuid,noexec to the list of mount options in column 4.CCE 15007-8,14306-5,14703-32.2.1.4 Bind-mount/var/tmp to/tmpEdit the ﬁle/etc/fstab.Add the following line:/tmp/var/tmp none rw,noexec,nosuid,nodev,bind 0 0CCE 14584-7This line will bind-mount the world-writeable/var/tmp directory onto/tmp,using the restrictive mount optionsspeciﬁed.See the mount(8) man page for further explanation of bind mounting.272.2.2 Restrict Dynamic Mounting and Unmounting of FilesystemsLinux includes a number of facilities for the automated addition and removal of ﬁlesystems on a running system.These facilities may increase convenience,but they all bring some risk,whether direct risk from allowing unpriv-ileged users to introduce arbitrary ﬁlesystems to a machine,or risk that software ﬂaws in the automated mountfacility itself will allow an attacker to compromise the system.Use caution when enabling any such facility,and ﬁnd out whether better conﬁguration management or usereducation might solve the same problem with less risk.2.2.2.1 Restrict Console Device AccessThe default system conﬁguration grants the console user enhanced privileges normally reserved for the root user,including temporary ownership of most system devices.If not necessary,these privileges should be removed andrestricted to root only.Restrict device ownership to root only.Edit/etc/security/console.perms.d/50-default.perms and locate the section prefaced by the followingcomment:#permission definitionsPrepend a#symbol to comment out each line in that section which starts with <console> or <xconsole>:#<console> 0660 <floppy> 0660 root.floppy#<console> 0600 <sound> 0600 root...#<xconsole> 0600/dev/console 0600 root.root#<console> 0600 <dri> 0600 rootEdit/etc/security/console.perms and make the following changes:<console>=tty[0-9][0-9]* vc/[0-9][0-9]*:0\.[0-9]:0<xconsole>=:0\.[0-9]:0CCE 3685-52.2.2.2 Disable USB Device SupportUSB ﬂash or hard drives allow an attacker with physical access to a system to quickly copy an enormous amountof data from it.2.2.2.2.1 Disable Modprobe Loading of USB Storage DriverIf USB storage devices should not be used,the modprobe program used for automatic kernel module loadingshould be conﬁgured to not load the USB storage driver upon demand.Add the following line to/etc/modprobe.conf to prevent loading of the usb-storage kernel module:install usb-storage/bin/trueCCE 4187-128 CHAPTER 2.SYSTEM-WIDE CONFIGURATIONThis will prevent the modprobe program from loading the usb-storage module,but will not prevent an admin-istrator (or another program) from using the insmod program to load the module manually.2.2.2.2.2 Remove USB Storage DriverIf your systemnever requires the use of USB storage devices,then the supporting driver can be removed.Thoughmore eﬀective (as USB storage certainly cannot be used if the driver is not available at all),this is less elegantthan the method described in Section2.2.2.2.1.To remove the USB storage driver from the system:rm/lib/modules/kernelversion(s)/kernel/drivers/usb/storage/usb-storage.koThis command will need to be repeated every time the kernel is updated.This command will also cause thecommand rpm -q --verify kernel to fail,which may be an undesirable side eﬀect.CCE 4006-3Note that this guidance will not prevent USB storage devices from being mounted if a custom kernel (i.e.,notthe one supplied with the system) with built-in USB support is used.2.2.2.2.3 Disable Kernel Support for USB via Bootloader ConﬁgurationAnother means of disabling USB storage is to disable all USB support provided by the operating system.Thiscan be accomplished by adding the “nousb” argument to the kernel’s boot loader conﬁguration.Disabling all kernel support for USB will cause problems for systems with USB-based keyboards,mice,or printers.This guidance is inappropriate for systems which require USB connectivity.To disable kernel support for USB,append “nousb” to the kernel line in/etc/grub.conf as follows:kernel/vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousbCCE 4173-12.2.2.2.4 Disable Booting from USB DevicesAn attacker with physical access could try to boot the systemfroma USB ﬂash drive and then access any data onthe system’s hard drive,circumventing the normal operating system’s access controls.To prevent this,conﬁgurethe BIOS to disallow booting from USB drives.Also conﬁgure the BIOS or ﬁrmware password as described inSection2.3.5.1to prevent unauthorized conﬁguration changes.CCE 3944-62.2.2.3 Disable the Automounter if PossibleIf the autofs service is not needed to dynamically mount NFS ﬁlesystems or removable media,disable theservice:29#chkconfig autofs offCCE 4072-5The autofs daemon mounts and unmounts ﬁlesystems,such as user home directories shared via NFS,on demand.In addition,autofs can be used to handle removable media,and the default conﬁguration provides the cdromdevice as/misc/cd.However,this method of providing access to removable media is not common,so autofscan almost always be disabled if NFS is not in use.Even if NFS is required,it is almost always possible to conﬁgure ﬁlesystem mounts statically by editing/etc/fstab rather than relying on the automounter.2.2.2.4 Disable GNOME Automounting if PossibleThe system’s default desktop environment,GNOME,runs the programgnome-volume-manager to mount devicesand removable media (such as DVDs,CDs and USB ﬂash drives) whenever they are inserted into the system.Execute the following commands to prevent gnome-volume-manager from automatically mounting devicesand media:#gconftool-2 --direct\--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory\--type bool\--set/desktop/gnome/volume_manager/automount_media false#gconftool-2 --direct\--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory\--type bool\--set/desktop/gnome/volume_manager/automount_drives falseVerify the changes by executing the following command,which should return a list of settings:#gconftool-2 -R/desktop/gnome/volume_managerThe automountdrives and automountmedia settings should be set to false.Survey the list for any otheroptions that should be adjusted.CCE 4231-7The system’s capabilities for automatic mounting should be conﬁgured to match whatever is deﬁned by securitypolicy.Disabling USB storage as described in Section2.2.2.2.1will prevent the use of USB storage devices,butthis step can also be taken as an additional layer of prevention and to prevent automatic mounting of CDs andDVDs if required.Particularly for kiosk-style systems,where users should have extremely limited access to the system,more detailedinformation can be found in Red Hat Desktop:Deployment Guide[5].The gconf-editor program,available inan RPM of the same name,can be used to explore other settings available in the GNOME environment.2.2.2.5 Disable Mounting of Uncommon Filesystem TypesAppend the following lines to/etc/modprobe.conf in order to prevent the usage of uncommon ﬁlesystemtypes:30 CHAPTER 2.SYSTEM-WIDE CONFIGURATIONinstall cramfs/bin/trueinstall freevxfs/bin/trueinstall jffs2/bin/trueinstall hfs/bin/trueinstall hfsplus/bin/trueinstall squashfs/bin/trueinstall udf/bin/trueCCE 14089-7,14457-6,15087-0,14093-9,14853-6,14118-4,14871-8Using the install command inside/etc/modprobe.conf instructs the kernel module loading system to run thecommand speciﬁed (here,/bin/true) instead of inserting the module in the kernel as normal.This eﬀectivelyprevents usage of these uncommon ﬁlesystems.2.2.2.6 Disable All GNOME Thumbnailers if PossibleThe system’s default desktop environment,GNOME,uses a number of diﬀerent thumbnailer programs to generatethumbnails for any new or modiﬁed content in an opened folder.Execute the following command to prevent the thumbnailers from automatically creating thumbnails for newor modiﬁed folder contents:#gconftool-2 --direct\--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory\--type bool\--set/desktop/gnome/thumbnailers/disable_all trueThis eﬀectively prevents an attacker from gaining access to a system through a ﬂaw in GNOME’s Nautilusthumbnail creators.2.2.3 Verify Permissions on Important Files and DirectoriesPermissions for many ﬁles on a systemshould be set to conformto systempolicy.This section discusses importantpermission restrictions gshadowwhich should be checked on a regular basis to ensure that no harmful discrepancieshave arisen.2.2.3.1 Verify Permissions on passwd,shadow,group and gshadow Files#cd/etc#chown root:root passwd shadow group gshadow#chmod 644 passwd group#chmod 400 shadow gshadowCCE 3988-3,3883-6,3276-3,3932-1,4064-2,4210-1,3918-0,3566-7,3958-6,3967-7,3495-9,4130-1These are the default permissions for these ﬁles.Many utilities need read access to the passwd ﬁle in orderto function properly,but read access to the shadow ﬁle allows malicious attacks against system passwords,andshould never be enabled.312.2.3.2 Verify that All World-Writable Directories Have Sticky Bits SetLocate any directories in local partitions which are world-writable and do not have their sticky bits set.Thefollowing command will discover and print these.Run it once for each local partition PART:#find PART -xdev -type d\( -perm -0002 -a!-perm -1000\) -printIf this command produces any output,ﬁx each reported directory/dir using the command:#chmod +t/dirCCE 3399-3When the so-called “sticky bit” is set on a directory,only the owner of a given ﬁle may remove that ﬁle from thedirectory.Without the sticky bit,any user with write access to a directory may remove any ﬁle in the directory.Setting the sticky bit prevents users from removing each other’s ﬁles.In cases where there is no reason for adirectory to be world-writable,a better solution is to remove that permission rather than to set the sticky bit.However,if a directory is used by a particular application,consult that application’s documentation instead ofblindly changing modes.2.2.3.3 Find Unauthorized World-Writable FilesThe following command discovers and prints any world-writable ﬁles in local partitions.Run it once for eachlocal partition PART:#find PART -xdev -type f -perm -0002 -printIf this command produces any output,ﬁx each reported ﬁle file using the command:#chmod o-w fileCCE 3795-2Data in world-writable ﬁles can be modiﬁed by any user on the system.In almost all circumstances,ﬁles can beconﬁgured using a combination of user and group permissions to support whatever legitimate access is neededwithout the risk caused by world-writable ﬁles.It is generally a good idea to remove global (other) write access to a ﬁle when it is discovered.However,checkwith documentation for speciﬁc applications before making changes.Also,monitor for recurring world-writableﬁles,as these may be symptoms of a misconﬁgured application or user account.2.2.3.4 Find Unauthorized SUID/SGID System ExecutablesThe following command discovers and prints any setuid or setgid ﬁles on local partitions.Run it once foreach local partition PART:#find PART -xdev\( -perm -4000 -o -perm -2000\) -type f -printIf the ﬁle does not require a setuid or setgid bit as discussed below,then these bits can be removed with thecommand:#chmod -s fileCCE 14340-4,14970-832 CHAPTER 2.SYSTEM-WIDE CONFIGURATIONThe following table contains all setuid and setgid ﬁles which are expected to be on a stock system.The setuid orsetgid bit on these ﬁles may be disabled to reduce systemrisk if only an administrator requires their functionality.The table indicates those ﬁles which may not be needed.Note:Several of these ﬁles are used for applications which are unlikely to be relevant to most productionenvironments,such as ISDN networking,SSH hostbased authentication,or modiﬁcation of network interfacesby unprivileged users.It is extremely likely that your site can disable a subset of these ﬁles with no loss offunctionality.Any ﬁles found by the above command which are not in the table should be examined.If the ﬁles are notauthorized,they should have permissions removed,and further investigation may be warranted.File Set-ID Subsystem/Ref Disable?/bin/mount uid root ﬁlesystems no/bin/ping uid root net (3.3.9) no/bin/ping6 uid root net (3.3.9),IPv6 (2.5.3) unless IPv6 is used/bin/su uid root auth (2.3.1.2) no/bin/umount uid root ﬁlesystems no/sbin/mount.nfs uid root NFS (3.13) unless NFS is used/sbin/mount.nfs4 uid root NFS (3.13) unless NFSv4 is used/sbin/netreport gid root net (3.3.9) unless users must modify interfaces/sbin/pamtimestampcheck uid root PAM auth (2.3.3) no/sbin/umount.nfs uid root NFS (3.13) unless NFS is used/sbin/umount.nfs4 uid root NFS (3.13) unless NFSv4 is used/sbin/unixchkpwd uid root PAM auth (2.3.3) no/usr/bin/at uid root cron/at (3.4) no/usr/bin/chage uid root passwd expiry (2.3.1.7) unless users must view expiry info/usr/bin/chfn uid root user info unless users must change ﬁnger info/usr/bin/chsh uid root user info unless users must change shells/usr/bin/crontab uid/gid root cron/at (3.4) unless users must use cron/usr/bin/gpasswd uid root group auth no/usr/bin/locate gid slocate locate database no/usr/bin/lockfile gid mail procmail unless procmail is used/usr/bin/newgrp uid root group auth no/usr/bin/passwd uid root passwd auth no/usr/bin/rcp uid root rsh (3.2.3) yes (rsh is obsolete)/usr/bin/rlogin uid root rsh (3.2.3) yes (rsh is obsolete)/usr/bin/rsh uid root rsh (3.2.3) yes (rsh is obsolete)/usr/bin/ssh-agent gid nobody SSH (3.5) no/usr/bin/sudo uid root sudo (2.3.1.3) no/usr/bin/sudoedit uid root sudo (2.3.1.3) no/usr/bin/wall gid tty console messaging unless console messaging is used/usr/bin/write gid tty console messaging unless console messaging is used/usr/bin/Xorg uid root X11 (3.6) unless X11 is used/usr/kerberos/bin/ksu uid root Kerberos auth (2.3.6) unless Kerberos is used/usr/libexec/openssh/ssh-keysign uid root SSH (3.5) unless sshd uses hostbased auth/usr/libexec/utempter/utempter gid utmp terminal support no/usr/lib/squid/pamauth uid root squid (3.19) unless squid is used/usr/lib/squid/ncsaauth uid root squid (3.19) unless squid is used/usr/lib/vte/gnome-pty-helper gid utmp X11,Gnome (3.6) unless X11 is used/usr/sbin/ccredsvalidate uid root PAM auth (2.3.3) unless PAM auth caching is used/usr/sbin/lockdev gid lock ﬁlesystems no/usr/sbin/sendmail.sendmail gid smmsp sendmail client (3.11.2) no/usr/sbin/suexec uid root apache (3.16) unless apache is used/usr/sbin/userhelper uid root PAM auth (2.3.3.4) restrict (see section2.3.3.4)/usr/sbin/userisdnctl uid root ISDN unless ISDN is used33File Set-ID Subsystem/Ref Disable?/usr/sbin/usernetctl uid root user network control unless users must modify interfaces2.2.3.5 Find and Repair Unowned FilesThe following command will discover and print any ﬁles on local partitions which do not belong to a validuser and a valid group.Run it once for each local partition PART:#find PART -xdev\( -nouser -o -nogroup\) -printIf this command prints any results,investigate each reported ﬁle and either assign it to an appropriate userand group or remove it.CCE 4223-4,3573-3Unowned ﬁles are not directly exploitable,but they are generally a sign that something is wrong with somesystem process.They may be caused by an intruder,by incorrect software installation or incomplete softwareremoval,or by failure to remove all ﬁles belonging to a deleted account.The ﬁles should be repaired so that theywill not cause problems when accounts are created in the future,and the problem which led to unowned ﬁlesshould be discovered and addressed.2.2.3.6 Verify that All World-Writable Directories Have Proper OwnershipLocate any directories in local partitions which are world-writable and ensure that they are owned by rootor another system account.The following command will discover and print these (assuming only systemaccounts have a uid lower than 500).Run it once for each local partition PART:#find PART -xdev -type d -perm -0002 -uid +500 -printIf this command produces any output,investigate why the current owner is not root or another systemaccount.CCE 14794-2Allowing a user account to own a world-writable directory is undesirable because it allows the owner of thatdirectory to remove or replace any ﬁles that may be placed in the directory by other users.2.2.4 Restrict Programs from Dangerous Execution PatternsThe recommendations in this section provide broad protection against information disclosure or other misbehav-ior.These protections are applied at the system initialization or kernel level,and defend against certain types ofbadly-conﬁgured or compromised programs.2.2.4.1 Set Daemon umaskEdit the ﬁle/etc/sysconfig/init,and add or correct the following line:umask 027CCE 4220-034 CHAPTER 2.SYSTEM-WIDE CONFIGURATIONThe settings ﬁle/etc/sysconfig/init contains settings which apply to all processes started at boot time.The system umask must be set to at least 022,or daemon processes may create world-writable ﬁles.Themore restrictive setting 027 protects ﬁles,including temporary ﬁles and log ﬁles,from unauthorized reading byunprivileged users on the system.If a particular daemon needs a less restrictive umask,consider editing the startup script or sysconﬁg ﬁle of thatdaemon to make a speciﬁc exception.2.2.4.2 Disable Core DumpsTo disable core dumps for all users,add or correct the following line in/etc/security/limits.conf:* hard core 0In addition,to ensure that core dumps can never be made by setuid programs,edit/etc/sysctl.conf andadd or correct the line:fs.suid_dumpable = 0CCE 4225-9,4247-3A core dump ﬁle is the memory image of an executable program when it was terminated by the operating systemdue to errant behavior.In most cases,only software developers would legitimately need to access these ﬁles.Thecore dump ﬁles may also contain sensitive information,or unnecessarily occupy large amounts of disk space.By default,the system sets a soft limit to stop the creation of core dump ﬁles for all users.This is accomplishedin/etc/profile with the line:ulimit -S -c 0 >/dev/null 2>&1However,compliance with this limit is voluntary;it is a default intended only to protect users fromthe annoyance